Forensic Buzz

Conversations on corporate fraud, misconduct and noncompliance

Over the years, we at Deloitte Forensic have seen a rise in demand for information on preventing fraud, misconduct and non-compliance among corporates in India. This blog is our latest endeavor to share relevant news, information and opinions from forensic accounting experts and encourage conversation around mitigating corporate fraud, misconduct and noncompliance.

The emergence of social media platforms, increasing internet penetration, and rising mobile connectivity have all resulted in the creation of a new and innovative entrepreneurship ecosystem known as ‘Crowdfunding’. Crowdfunding is becoming an increasingly popular way to connect entrepreneurs in need of finance with investors in search of various forms of return, ranging from pure profits to impact investing and even non-financial returns.

Why are they so successful? Probably because they offer, at a very low entry cost, an easy alternative to traditional financing and investing. Investors can choose projects they like - projects they feel emotionally connected to - and decide to sponsor them. Crowdfunding is furthermore strongly connected to social and impact investing.

How do you categorize crowdfunding activities? Crowdfunding can largely be split into three main types:

o Debt crowdfunding - Investors loan their money and receive interest on their loans in return (also known as “peer to peer lending”).

o Equity crowdfunding - Investors receive shares in a business, and share in the success of that business.

What do you need to be wary of? Each of these platforms can help improve access to finance for growing businesses; as they mature in scale, however, they do come with inherent fraud risks that organizations need to be mindful of. Lack of specific regulations, a small and fragmented market and, often guaranteed, quick high returns are just some of the factors that may inadvertently contribute to the risk of fraud in crowdfunding. Some of these fraud risks can translate into affecting an organization/individual, leading to a fraud incident. In our experience, some of the probable fraud schemes in this space are:

o Money laundering - Fraud is not limited to only those raising money through the platform. Perhaps less obvious, but nonetheless present, is the risk of money laundering. Funds received electronically under the guise of a legitimate crowdfunding offering would be easier to integrate into the financial system than if the transaction were conducted in cash.

o Diversion and siphoning of funds on fake/inflated projects - Given the very nature of a crowdfunding platform, investors in a crowdfunding project may, at times, have limited visibility/transparency to the authenticity of the project they are financing. Fraud can manifest itself in many different ways. Misappropriation can be easy to pull off through false websites. The funds raised can be used for purposes other than what was initially disclosed.

o Identity theft/Cyber security risks - Crowdfunding may be vulnerable to the risk of cyberattacks in view of the online nature of crowdfunding. Such cyberattacks may come in varied forms, such as overloading a platform’s infrastructure, confusing accounts, etc. Like with any online financial transaction, phishing schemes can be used to illegally gain access to personal and financial information, such as credit card and banking information. Hacking of the payment gateway or using stolen credit card information can result in direct revenue losses for the platform.

What is the solution? To know more about these risks in detail and how to protect yourself, read the complete article here. Do you believe crowdfunding is a booming industry? Have you experienced any fraud incidents? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Resolving non-performing assets made an easier task through asset tracing

In the years leading up to 2008, Indian banks lent liberally to fuel the nation’s seemingly unstoppable growth. During subsequent years, with the global financial crisis having far-reaching effects and the consequent slowing of domestic growth, these banks’ Non Performing Assets (“NPAs”) began to rise. The Reserve Bank of India’s Financial Stability Report published on 28 June 2016 placed Gross Non-Performing Advances (“GNPAs”) at 7.6 percent of gross advances - a sharp rise from 5.1 percent in September 2015. Recent public scrutiny of NPAs and their implications on the health of the Indian banking sector have put banks under a lot of pressure to resolve them. Recent guidelines by the Reserve Bank of India define NPAs unambiguously, and prescribe specific actions to deal with them. The mere presence of these NPAs and expected remedial measures have stressed the capital structures of banks.

Resolving NPAs has posed a significant challenge to banks; this is illustrated by the low recovery rates seen in the industry. The flow of borrowed funds is often unclear, and their end use is difficult to determine using conventional methods. Additionally, recovery efforts may be hampered by defaulters’ efforts to conceal their assets.

An asset trace leverages publically available information, data from land records, and other such registries to identify assets held by defaulters. Market intelligence activities driven by preliminary findings from the public domain often yield information on assets held in the name of family members and close associates. Documents gathered during the course of such activities, land titles, and vehicle registrations for instance, have legal standing as evidence in a court of law. Such evidence can be used by creditors when defaulters claim an inability to repay. This makes asset tracing a powerful tool for lenders pursuing defaulters for recovery. Asset tracing can also assist in identifying assets which have recently been transferred by the defaulting borrower to evade the recovery process.

However, the Government of India has in August 2016 cleared a bill which mandates a central registry to be created to maintain records of transactions relating to secured assets which would hopefully assist in the recovery process in the event of a default.

Do you believe organizations are leveraging the use of asset tracing to their full ability? Do you think institutions are aware of all the advantages arising out of an asset tracing exercise? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Counterfeiting is a growing, global problem that affects all industries — from electronics and technology, to luxury fashion goods and fast-moving consumer goods. The scale of the problem is apparent in both the demand for such goods and the volumes in which they are being produced.

As the counterfeiting market expands, it becomes even more important for brands to protect themselves in terms of their reputation and bottom lines, as well as their customers. But what exactly can be done to tackle the problem, especially with counterfeiters operating on a global platform?

In our experience, following are some of the best practices for brands to help tackle this issue:

1. Attain global visibility - Counterfeiters operate over a wide range of channels; all of these channels, including online marketplaces, e-commerce sites, message boards, and the rest must be monitored and analyzed. It has become important to study the patterns and the modus operandi adopted to be able to anticipate future behavior patterns. This will in turn help the companies develop proactive internal controls and strategies.

2. Monitor points of promotion - While it is obviously important to identify and shut down distribution channels, it is almost certain that counterfeiters will regularly search for new sales venues. Counterfeiters are not known to use the same promotional channels as the manufacturer to market their products. In fact, they rely heavily on traditional methods of selling on the network of other entities engaged and interested in such activities. Also it is important to note that most counterfeiters will be based out of low-key areas with limited accessibility and maintain a low profile.

3. Take proactive action - Counterfeiters obviously encounter more success when left to operate unchallenged. Once a brand understands where the greatest threats lie, proactive action is one of the effective strategies. Brands should consider the following steps:

Set priorities: Identify the biggest offenders, offering the greatest number of counterfeit goods in the most highly trafficked venues, and address them first.

Watch for cyber squatters: Brands should actively monitor the Internet for unauthorized use of their branded terms in domain names. This will aid in rapid detection of e-commerce sites selling counterfeit or unauthorized goods.

Provide mechanisms to help deal with counterfeit sales situations: Most online channels today need to have processes that look into this risk. Online marketplaces, for example, typically have policies and procedures enabling brand owners to report listings that infringe their brand.

4. Fight counterfeit sales holistically - This means that the brand owners should set up a cross-functional team to address the issue in a coordinated, holistic manner. Stakeholders — and, therefore, recommended participants — could vary by industry and enterprise, but could include legal, marketing, risk management, loss prevention, channel sales management, manufacturing, supply chain management, and other functional units.

5. Educate your customers - Educate your customers about the risks of buying from unauthorized sources and encourage them to report suspicious goods and sellers. Brands could also provide form or email-based mechanisms for reporting suspected infringement. It has become vital that companies invest in a good complaints receival and redressal mechanism as a first step towards mitigating the menace caused by the counterfeit goods. When offering such tools, be sure to reinforce the benefits of buying authentic goods from authorized sellers. Also, it is important that consumers should not only be aware of the differences between the authentic and fake products but also be well-equipped and educated on the reporting process once they have spotted fakes.

Do you believe your organization has adequate mechanisms to tackle the menace of counterfeiting? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

eCommerce has been considered as one of the fastest growing sectors in India and is projected for phenomenal growth in the future. However, given the intensifying pressure on margins and the need for cost optimization, losses due to fraud can significantly impact the profitability of eCommerce companies.

In case of eCommerce businesses, the inherent nature of complex business operations, sophisticated use of technology, reliance on multiple stakeholders and third parties, and limited sector-focused regulation, have made eCommerce businesses susceptible to the risk of fraud much more than other sectors. Some of the key issues to watch out for are:

Counterfeit and banned products: eCommerce platforms are being increasingly used for the distribution of banned and counterfeit goods. This could be due to the limited control that eCommerce players have on the final product being sold, as well as their high level of dependence on compliance protocols followed by sellers. With the responsibility of ensuring product quality, authenticity of goods and packaging lying with the sellers, the probability of counterfeit goods being introduced into the supply chain and eventually reaching the customer can therefore be high.

Unscrupulous vendors: Another vulnerable area affecting the eCommerce sector is the fast paced manner in which sellers are brought on board i.e. using basic checks as part of their KYC without authenticating the genuineness of the sellers in a robust manner. There are cases where the same set of vendors get registered across multiple eCommerce websites and conduct fraudulent transactions without getting caught.

Supply chain frauds: The limited focus on fraud risk governance across the life cycle (of business) could result in the prevalence of fraud schemes such as theft of inventory, unauthorized sales or replacement of products, kickbacks and cash misappropriation by logistics service providers particularly in cash on delivery transactions.

Data security: The greatest asset of eCommerce companies is their data, including customer database, purchasing patterns and personal information which could be susceptible to leakage due to access by third parties. Moreover, the lack of a specific data privacy law could create uncertainties around security of data.

Tackling these red flags is imperative for eCommerce players in order to keep fraud risks at bay.

Is your organization aware of the emerging challenges of the eCommerce industry? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

The E-Commerce industry has been considered as one of the fastest growing industries in India. It is also one of the newest industries in India, one which leverages upon existing offline businesses to deliver a seamless online experience. A typical E-Commerce transaction, while looking very simple to an outside observer, usually involves the participation of several different industries, such as - Telecom, which provides the bandwidth to conduct such transactions; to Logistics, which takes care of delivering the physical goods to the end customer; to Banking, which handles either the offline or the online payment aspect. Thus while an E-Commerce company can gain tremendous scale by leveraging these offline industries, it could also open itself up to various points of attack.

It is important for E-Commerce companies to be aware of the vulnerable (fraud risk) areas and to adequately safeguard themselves against incidents of fraud by creating and implementing suitable anti-fraud strategies. In our experience, some of the key areas to watch for are:

Order fulfillment: Companies must stay vigilant to prevent any loss of data, leakage of confidential/ private information during the order fulfillment process. Data integrity and security must be ensured to give the customer the best possible experience.

Payment: Each payment mode must be carefully scrutinized to ensure there are no gaping loopholes through which customer money could be misappropriated. Third party payment gateways especially are areas where a company should stay extra vigilant and ensure the gateway follows best practices when it comes to cyber security.

Sellers/ vendors: A company’s reputation often hinges on the type of sellers and vendors it allows on its platform. Inadequate background checks and lack of proper due diligence on vendors can lead to adverse impact on brand reputation and possible loss of customer confidence.

Network security: The greatest asset of E-Commerce companies is their online presence. As such, cyber security plays an essential role across most E-Commerce companies. Companies should protect themselves and their customers by employing best practices in security by adopting a two factor authentication process, creating specific access controls, monitoring applications with access to company data, maintaining security patches etc.

E-Commerce companies need to start incorporating fraud risk management processes in every stage of the business life cycle so that as the company grows in scale, its fundamental foundations are firm and secure. In our recent brochure, we have detailed out some of the potential fraud risks that a company could face during a typical E-Commerce transaction. Alongside, we have provided a number of solutions which could help tackle these problems and vulnerabilities.

Does your organization have a proactive fraud risk management program? Let us know by writing to us at inforensic@deloitte.com or on Twitter @deloitteindia.

By Wilfred Bradford (Director) and Snehal Poojari (Deputy Manager)

Supply chain fraud risk – Who is to be blamed in house?

The “Make in India “program was launched by the Indian Government in 2014 as part of a wider set of nation-building initiatives. Devised to transform India into a global design and manufacturing hub, the campaign aims to bring in fresh foreign investments, technology transfer, infrastructure development, innovation, tax reforms and ease of doing business to promote improvements in regulatory environment through deregulation, delicensing and simplification of procedures especially in the domestic space and manufacturing sector.

However, with globalization, the domestic sector is under pressure to compete with international brands. Continued pressure to reduce cost, improve quality, undertake mass production, meet unparalleled demand of global consumers, international trade, global sourcing and e-commerce have made the supply chain grow and become more complex. Increased complexity has exposed the supply chain to several unprecedented vulnerabilities which can be broadly categorized into internal and external risks.

Companies sometimes focus more on the external factors and frame policies and procedures to circumvent the external threats to supply chain thereby paying little attention to the danger that the employees within the organization could cause to effective functioning of supply chain.

Biased or unorganized method of bidding and granting contracts- Generally before onboarding a new vendor; an organization considers factors like product quality, business stability, credit terms and rates offered by the vendors etc. However, little attention is paid to details like who are the promoters of the vendor organization, how was the bidding process carried out, who introduced the vendor etc.

Ambiguous contract terms- Tender documents containing instructions to bidders, or the general and the special conditions of contract are not updated to suit the contract requirement. As a result of obsolete, irrelevant and sometimes conflicting, vague and incomplete clauses are incorporated in the bid documents. Sometimes the ambiguities in the contract clauses are detected at the time of execution of works and due to wrong interpretations/disputes, contracts get delayed.

Non-existence of right to audit- This clause states that the vendor/contractor shall maintain reasonable accounting system and that company or its authorized representatives shall have the right to audit, to examine or make copies from the financial and related records pertaining to the contract executed between the company and its vendors. Absence of this clause is a potential red flag for supply chain fraud.

Undisclosed conflict of interest between employee and vendor-Instances where the employee of the company does not disclose his relationship with the vendor/contractor of the company i.e there is non-disclosure of conflict of interest by the employee. The employee may derive certain direct or indirect benefit from the execution of the contract between company and such related vendor in the form of kickbacks or commission.

Keeping a check on the red flags some of which are set out here, organizations could proactively help in minimizing the occurrence of frauds in the supply chain function.

Is your organization prepared to tackle Supply Chain Fraud? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

By Veena Sharma (Director) and Rini Roy (Assistant Manager)

Understanding Sexual Harassment and how companies are complying with the POSH Act

The Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 (referred to hereafter as “the Prevention of Sexual Harassment Act” or “the POSH Act”), has provided for ways to deal with complaints of sexual harassment by empowering the internal complaints committee (“ICC”) with certain powers including powers similar to a civil court in certain matters.

According to Deloitte India’s Anti-Sexual Harassment survey report, 2016 (the “survey”), organizations tend to rely on external professional experts such as lawyers (54 percent of survey respondents), psychologists (46 percent of survey respondents) and forensic experts (19 percent of survey respondents) to resolve cases involving sexual harassment. Engaging external lawyers or forensic experts may assist the ICC in carrying out a fair and independent investigation.

Forensic experts bring the advantage of advanced forensic technology, which is capable of imaging any electronic devices submitted by the aggrieved woman and/or respondent by performing independent reviews of communications such as e-mail, voicemail, instant messenger history from their company-owned computers etc., through retrieving, collecting, identifying and preserving crucial evidence in a manner that may be produced before the ICC and/or a court of law. Further, forensic experts may also help ascertain false/malicious complaints by conducting business and market intelligence gathering by via social media searches and open source background checks of connected parties.

Given the sensitivity and urgency of the allegations involved, it may also help if organizations established a case management system, which would enable investigations to commence at the earliest and conclude within 90 days of receiving the complaint, as prescribed by the POSH Act.

A web-based case management system (only 13 percent of survey respondents indicated they followed this approach) to handle complaints may also help set up alerts and minimize time lost in coordinating views between the ICC members and documenting them, thus serving to maintain a repository of all cases of sexual harassment handled by ICC.

Does your organization leverage external experts to assist with sexual harassment cases? Do you have a centralized system to track the management and resolution of sexual harassment cases? Share your view by writing to us at inforensic@deloitte.com or on Twitter @deloitteindia.

The Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 (referred to hereafter as “the Prevention of Sexual Harassment Act” or “the POSH Act”) mandates the formation of an Internal Complaints Committee (“ICC”) which is vested with certain powers and can recommend to the employer, on the written request of the aggrieved woman, to transfer the respondent or the aggrieved woman herself to a different workplace or to grant her leave, over and above her entitled leave, up to a period of three months.

Inextricably linked with these powers, is imperative that the committee members involved in handling complaints have the relevant experience and adequate knowledge of compliance obligations as laid down by the POSH Act. As part of the complaints facilitation mechanism, it is important for the ICC to stress on the need for written complaints from complainants so that the complaint is admissible under the POSH Act and resolution can follow the prescribed course of actions under the POSH Act.

However, according to Deloitte India’s Anti-sexual Harassment survey, 2016 (the “survey”), while a majority of the respondents have established an ICC, more work needs to be done in the area of creating awareness about the reporting of complaints under the POSH Act. About 50 percent of survey respondents indicated that complaints could be reported through the formal whistleblowing mechanism, or by reporting it to managers (50 percent of survey respondents) or any senior woman employee the complainant was comfortable with (60 percent of survey respondents). While multiple channels may give the complainant flexibility to report the issue, it is important to note that unless a written complaint is filed with the ICC by the aggrieved woman within the allocated timelines (of within three months from the incident), it cannot be treated as a formal complaint under the POSH Act.

Are you aware that complaints under the POSH Act are admissible only if given in writing to your organization’s ICC? Do you receive periodic communication to this effect from your HR or legal team? Share your views by writing to us at inforensic@deloitte.com or on Twitter @deloitteindia.

By Veena Sharma (Director) and Amrutha Yeshwanth (Deputy Manager)

Understanding Sexual Harassment and how companies are complying with the POSH Act

Two years after the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 (referred to hereafter as “the Prevention of Sexual Harassment Act” or “the POSH Act”), has come into effect, there is a growing consciousness about the current state of implementation of the POSH Act to prevent sexual harassment at the workplace. According to Deloitte India’s Anti-Sexual Harassment (ASH) survey report, 2016, close to 92 percent of survey respondents said that they had anti-sexual harassment (“ASH”) policies in place, of which approximately 62 percent indicated the presence of separate ASH policies.

Organizations with an ASH policy in place indicated several ways to increase awareness about sexual harassment at the workplace and measures to prevent it. The most preferred approaches included making information available on the company’s intranet/ HR portal (71 percent of respondents), trainings and workshops (indicated by 52 percent of respondents), sending out regular newsletters (38 percent of respondents), using common areas of the office to share posters and information booklets on the subject (27 percent of respondents) and running e-learning programs (25 percent of respondents).

While these interactive measures can bring organizations one step closer to meeting their compliance obligations under the POSH Act, the efficacy of these measures to stem sexual harassment may be relatively limited compared to participative efforts such as face to face discussions and interactions that can provide tips on identifying behaviors that may constitute sexual harassment. (About 38 percent of respondents indicated that their organizations were dealing with the challenge of providing practical tips to identify possible instances of sexual harassment and prevent them).

Given the challenges surrounding the topic, including sensitivities around determination of what constitutes sexual harassment at work place, organizations may need to supplement these efforts by encouraging constructive discussions and looking at the issues in a holistic manner (including cultural issues).

How does your organization provide practical tips on identifying instances of sexual harassment? Let us know by writing to us at inforensic@deloitte.com or on Twitter @deloitteindia.

By Rajat Vig (Partner) and Upasana Sharma (Senior Executive)

Sports in India: Emerging challenges in a new industry

The Business of Sports is a multi-billion dollar global industry propelled by enormous consumer demand.

The number of stakeholders involved in the Indian Sporting industry continues to increase with the advent of new leagues being formed in games such Kabbadi, Badminton and Wrestling. In our experience, following are some of the key challenges that stakeholders in the sports industry are increasingly facing:

Conflict of interest- Conflict of interest management has surfaced as one of the central issues to the regulation of ethical conduct in sport. Every person connected to the governing body of the sport, its member or its league and its franchisees should try to avoid any act or omission which is, or is perceived to be likely to bring the interest of the individual in conflict with the interest of the game.

Inappropriate conduct – on and off the field - Awareness regarding the laws of the land or understanding the difference between sledging and being racist, such education is not imparted to players in formative years. Individuals representing a franchisee can at times be of minor age as well. They need to be educated on possible situations (such as ethical dilemmas) that may be beyond the control of the sporting company / franchise but may have an impact on it.

Auctions and awards related fraud and misconduct - Limited procedures for reviewing and validating aspects such as the best stadium for viewership experience, or for auction of players, and elections for the apex positions in the organization mean these appointments and ratings are open to rigging and manipulation. Such incidents, if discovered and publicized, can have a significant impact on audience/ fan engagement initiatives and can also jeopardize the existence of the franchise itself.

Risks arising from third parties- Dealing with third parties, especially without being adequately aware of their background, can expose organizations to additional fraud, noncompliance and reputational risks.

Poor revenue assurance/ management - Revenues generated by clubs on non-match days, and under-utilization of fan zones and other facilities etc. can result in losses for organizations. Running revenue assurance procedures can help in identifying potential revenue opportunity, leakages and potential loss-making initiatives.

Do you believe that sports is the next big industry in India? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

By Veena Sharma (Director) and Upasana Sharma (Senior Executive)

Reigning in Procurement Fraud and Corruption

“Being proactive also is being reactive …but only ahead of time”

Procurement fraud and corruption remain the most prevalent fraud risk across industries and organisations of varying sizes and operations. Procurement is one of the key functions in the business operations of any organisation, which involves significant outflow of funds for purchase of goods and services, thereby making it to be a highly vulnerable area for financial leakages. Instances, such as Price manipulation, illicit rebates, bribery, kickbacks and dubious vendor relationships are some of the commonly known procurement fraud and corruption schemes.

The Deloitte India Fraud Survey, released in 2014, highlighted that frauds within the procurement function can be very complex and can happen at any stage of the procurement cycle right from the identification of suppliers to the very critical buying stage and post buying manager-supplier relationships. The damage from such a scenario not only impacts the organization from a monetary perspective, but in today’s digital era it can have a serious implication on the brand, resulting in loss of reputation in the investor group, clientele, the supplier community and other stakeholders.

Organizations instil a certain amount of trust in their employees in order to operate, and those within the procurement function are entrusted with access to vendor selection, vendor files, accounts payable, invoice approval, and purchase orders, which can provide an opportunity to commit fraudulent activity such as, bid rigging, false billing schemes, vendor kickbacks, and conflicts of interest.

Setting the right ethical tone within the procurement team and those involved in purchasing/ sourcing activity is therefore vital. As a first step to building a culture of ethics and compliance, it becomes imperative for organizations to have a specific “Purchasing Ethics and Obligations Policy” in place, which all members of the purchasing teams are made to understand and sign-off as a declaration to comply with the provisions of the policy, each year. Companies also need to identify personnel who can resolve employee queries on ethical dilemmas that they may face in their day-to-day business activities or to guide them on compliance with the policy.

To help organizations self-assess their vulnerability to procurement fraud, Deloitte Forensic has developed a secure web-based tool that will allow Chief Procurement Officers (CPOs), Chief Compliance Officers (CCOs) and Chief Finance Officers (CFOs) understand their organizations’ preparedness to tackle fraud, misconduct and noncompliance in the procurement function.

Such a measure is likely to help organizations in proactive fraud risk management in the procurement function. Thus, nipping the issue of non-compliance in the bud.

Do you believe your organization has adequate mechanisms to mitigate procurement fraud risks? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Do watch out for our next blog in our series on…How organisations can build anti-fraud programs and controls to manage procurement fraud risk.

By Jayant Saran (Partner) and Upasana Sharma (Senior Executive)

Ransomware: A threat to cloud services too

As per a report by the Economic Times, India ranks ninth globally, in terms of ransomware attacks. Ransomware is a malicious software that encrypts the target’s files and holds them ‘hostage’ unless and until the victim pays a ransom to the hacker to regain access. With a rise in the number of cloud-based storage solutions, smartphones, tablets and wearable technology, the risk of ransomware attacks has grown manifold. For enterprises, the impact of ransomware can be fatal, resulting in not just financial losses but also loss of reputation.

A number of users believe that backing up, or storing data in the cloud works as a good means of mitigating the risks associated with data loss arising from a variety of reasons. However, many Internet users may be unaware that ransomware can just as easily seize control over files stored on cloud services. In fact, there are additional challenges that companies can face in the aftermath of a Ransomware attack on cloud-based solutions. This is because it is difficult to confirm whether the infection has been contained or removed as the infrastructure is not under direct control of the company.

In our experience, some of the following measures can help organizations tackle the menace of ransomware attacks:

1. User Education- The most common modus operandi reported by users across the globe is receiving an unsolicited e-mail from an unknown sender with an attachment, which when opened spreads malware across the server. Educating users about the proper handling of such unknown or suspicious files is there fore crucial to preventing malware attacks.
2. Employ content scanning and filtering on email servers- Inbound e-mails should be scanned for known threats and any suspicious attachment types should be blocked.
3. Block end users from being able to execute the malware- Software restriction policies can be created and configured to prevent the downloaded threat from being launched. Such policies can block Auto-Run, access to script files and the execution of files from removable volumes, thus, preventing launch attempts of malicious files.
4. Limit end user access to mapped drives- The current ransomware threats are capable of browsing and encrypting data on any mapped drives that the end user has access to. Restricting the user permissions for the share or access to the underlying file system of a mapped drive can restrict the threat.
5. Deploy and maintain a comprehensive backup solution-The fastest method to regain access to critical files is to have a backup of crucial data. Backups of data should take place not only for files hosted on a server, but also for files that are stored locally on office systems. Whether these are stored on the company’s infrastructure or in the cloud, could be assessed based on the actual risk perception of the company. We have seen some companies take periodic backups on encrypted external hard drives for data pertaining to key personnel rather than just limiting it to the backups taken automatically by the company, locally or in the cloud.

Some of the above measures can provide a safeguard for your data being impacted by ransomware.

How is your organization preparing to defend itself from ransomware attacks? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Globally, competition regulators extensively rely on economic, concepts, reasoning, and evidence while deciding on competition related matters. Even in India, we are witnessing increased reliance on economic evidence by the Competition Commission of India (CCI) as well as the Competition Appellate Tribunal in taking decisions on anti-trust issues.

Economic evidence can help corroborate or challenge the key components within the case by assessing or estimating the impact of anti-competitive activities on consumers and market outcomes. In addition, such assessments or estimates can help identify pro-competitive outcomes, if any, to rebut allegations of anti-competitive conduct.

Amongst the varied economic aspects in an anti-trust case, the role of economic evidence is limited to:

4. Quantifying efficiencies arising out of a merger and acquisition scenario and its collective effect on market structure

Economic evidence can help present relevant information to the regulatory authorities so that the information can be considered by them in forming an opinion. Therefore it becomes imperative for organizations to proactively analyze their position from an economics and impact point of view. This could become key to make out a strong case.

The kinds of circumstantial evidence which can be submitted to support economic evidence could be many. Do you have any instances to share? Where (and in which forms) do you feel economic evidence can be used? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

With the year coming to a close and festive cheer upon us, it is considered to be customary for most corporate organizations to hand out gifts, mementos and other goodies to not only their employees, but also to important government officials, customers and vendors. These days, expensive items such as high-end phones, fashion accessories or even hampers with imported wine, chocolates and other ‘goodies’ are often handed out. But this begs the question: are these gifts genuinely looked at as festive generosity or are they meant as inducements/ bribes to influence key decision/ policy makers or to ensure favourable treatment and gain an unfair advantage?

Not always.

Bribing a government official is prohibited under several domestic and foreign legislations such as the Indian Prevention of Corruption Act (PCA) and the United States Foreign Corrupt Practices Act (FCPA). Transgressions can lead to severe fines and in some cases, imprisonment for the person making the bribe. Certain foreign legislations, such as the UK Bribery Act (UKBA), do not distinguish between public and private sector bribery and consider ‘business-to-business’ bribery an offence as well.

However, gifts do not always constitute bribes. Most multinationals operating in India fall under the purview of either the FCPA or UKBA and therefore incorporate gift policies into their organization’s code of conduct, which allow employees to present gifts to government officials and other individuals with a limit (usually between US$50-75) on the value of the gift. Such policies also generally include restrictions on the kind of gifts, the occasions on which gifts can be given and generally require approval from the compliance team. A gift, no matter how small the amount, given to a government official with the intention of influencing the official or to gain an undue advantage would almost certainly be deemed bribery. Therefore giving of any gifts must be considered carefully to make sure they do not end up exposing the corporate entity concerned to non-compliance under FCPA or UKBA.

As an organization, how do you ensure you do not fall foul of these laws and regulations? Of foremost importance is having a clear and defined gift giving policy as part of the organization’s code of conduct, with strict guidelines for gift giving, including approval matrices and value limits. According to the United States Department of Justice, ‘many larger companies have automated gift giving clearance processes and have set clear monetary thresholds for gifts along with annual limitations’ as a control measure against unauthorised gift giving/ bribery.

In our experience, an organization’s general policy guidance for hospitalities, gifts and entertainments should cover the following:
1. Should be given or accepted on an occasional basis.
2. They should not be given or accepted as a reward or encouragement for preferential treatment or for something expected in return.
3. Should not be given or accepted as cash or cash equivalent.
4. Should avoid being given to politically connected individuals.
5. Should be accurately recorded in the firm’s accounting records.
6. The policy should also set clear monetary thresholds for gifts, along with annual limitations, with limited exceptions for gifts approved by appropriate management.

While gift giving traditions may vary across the globe due to cultural differences, it is important to find that balance and maintain compliance with relevant laws. This situation can easily become a slippery slope, making it difficult to prevent payments that cross the line between permissible practices and bribery – but eventually an organization needs to take onus and view compliance as a top priority.

What do you believe is the right fit (during the season) that upholds compliance standards? Have you ever faced issues in drafting an anti-bribery and corruption gifting policy? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

India ratified the United Nations Convention against Corruption (UNCAC) in 2011 and since then has been implementing a slew of regulations to support anti-corruption efforts. These include the amendments to the Prevention of Corruption (Amendment) Bill, 2013, the Prevention of Money Laundering Act, 2012, the Public Procurement Bill, 2012, and the Real Estate Regulation and Development Bill, 2013. Additionally, Indian companies doing business overseas are also focused on complying with global laws like the US Foreign Corrupt Practices Act and the UK Bribery Act.

While the historical approach to compliance has been reactive in nature, in the current business scenario, it is important for corporates to realize that if approached strategically, compliance is not a burden but an opportunity.

Companies need to stay alert if they are to avoid loss of reputation, plummeting share prices, fines or even legal proceedings. With a view to help organizations protect themselves from being under the scrutiny of regulatory bodies, Deloitte India recently organized a webinar titled, ‘Encouraging a transparent and clean business environment’ , which emphasized on the following key questions that the management needs to ask to ensure compliance:

Does your organization have a zero tolerance approach to bribery and corruption?

Has your senior management clearly demonstrated the tone at the top and communicated the minimum ethical values to be displayed in business dealings?

Is your existing compliance program detecting instances of bribery and corruption effectively?

Are you aware of the background of the entities/ individuals with whom you interact regularly for business purposes? Are they aligned with your company’s policies on anti-bribery and corruption?

Has your company opened various channels for employees and/ or external parties to communicate potential bribery or corruption related issues? If yes, is there a robust incident response mechanism within the company?

Read more about our webinars in our upcoming posts. If you wish to suggest topics for discussion for the subsequent editions of webinars, please write to us at inforensic@deloitte.com or share your views on Twitter @deloitteindia.

As per the World Bank’s latest report, Doing Business 2016, India has been ranked 130 (out of 189 economies) on ease of doing business – a jump of nearly 12 places from the last report. Though it has been debated whether the jump is significant (or not), what has gone unnoticed is the fact that India has moved only one place in terms of ranking for resolving insolvencies i.e., from 137 to 136. This encapsulates the challenges that we are facing with managing insolvencies in India. The average time taken for insolvency proceedings in India (according to the report) is about 4.3 years, while it is only 1.7 years in high-income Organization for Economic Co-operation and Development (OECD) member countries. Having a robust insolvency resolution mechanism can help creditors recover a larger part of their investment faster allowing them to re-invest in other businesses, thereby facilitating the efficient flow of capital across the economy.

A strong bankruptcy law, therefore, becomes a critical requirement that provides a debtor with various mechanisms to restructure and revive its business, be it acquiring finance on favorable terms or providing a stay on litigation. For banks and lending institutions, a more comprehensive bankruptcy law would help protect their rights, promote predictability, clarify the risks associated with lending, and make the collection of debt through bankruptcy proceedings more attractive, thereby facilitating credit and a higher flow of capital in the economy.

While there is no comprehensive and integrated policy on corporate bankruptcy in India; along with the Companies Act, 2013, there are three major legislative Acts and several special provisions, which provide procedural guidance on the liquidation or reorganization process. As a result of these, four different agencies [the High Courts, the Company Law Board, the Board for Industrial and Financial Reconstruction (BIFR), and the Debt Recovery Tribunals (DRTs)] have overlapping jurisdiction, which can create systemic delays and complexities in the process. This further causes the entire bankruptcy process to become lengthy with poor enforcement mechanisms.

Along with other benefits that a strong bankruptcy law will entail, it would also help to give banks teeth to tackle the problem of stressed assets. We therefore believe, the Draft Report submitted by the Bankruptcy Law Reform Committee (BLRC) to the Finance Minister (on 4 Nov 2015), is a positive step towards suggesting immediate reforms to the existing legal regimes governing bankruptcy in the country.

Whilst the BLRC recommendations seem to address most of the aspects relating to bankruptcy in India, there are a couple of areas where the recommendations could have been strengthened. One view is that the viability of an enterprise should not just be examined by a committee of creditors but by a team which would have a wider participation of all stakeholders – creditors, shareholders, promoters, etc. Additionally, given that in developing countries such as India, the litigation process may be used to cause delays, it is advisable to include a provision which will empower the regulator to levy fines in case frivolous adjournments are sought.

The new rules may encourage Indian promoters to approach lenders with their revival plans at a much earlier stage of stress and discourage abusing the system. It is also believed that the recommendations would ease the investment opportunity in the country for Special Situation funds which are involved in acquiring distressed assets and thus are an important part of the bankruptcy eco-system. This will help banks/ financial institutions recover dues with a fair degree of certainty as well as within a select time frame. This in turn will help banks avoid the perils of a time-consuming litigation process which tend to work to the benefit of a corporate house/ promoter since it delays a bank from taking control of assets post default.

While the bankruptcy law is a much needed regulation, however the devil may be in its implementation as we have witnessed numerous past instances of ineffective enforcement despite the establishment of a strong regulation.

Share your views on the proposed bankruptcy law by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

The consumer goods sector is known for its ever changing business dynamics and evolving regulatory standards. Amidst a stiff competition among domestic and international players, this sector has seen formidable names of the past become significant casualties in the present due to certain trade practices in the market place by industry players.

Taking cognizance of this issue, the government of India enacted the Competition Act 2002 to promote and sustain competition in the market while preventing practices having adverse effects on competition. The Competition Commission of India (CCI), the entity constituted under the Act, has the role to regulate competition in the Indian market. Over the years, CCI has been becoming more active and has taken up cases across the cross section of the industry to enforce the spirit of the Act. The industry players need to be watchful of the practices that were hitherto considered acceptable and may get construed as un-acceptable under the requirement of the Act. The compliance to the Act needs to be looked at seriously as there stringent financial penalties under the Act and may lead to significant disruption to business.

At a round table industry meeting organized by Deloitte across Mumbai, Delhi and Bangalore, the following Competition Law concerns were found to be plaguing the consumer goods industry:

Presence of certain arrangements/ agreements with distributors, suppliers, stockists and retailers that may get classified as anti-competitive

Bid rigging/ cartelisation in public procurement

Abuse of Dominance through practices that may get construed as ‘Predatory’ pricing and/ or ‘Unfair/discriminatory’ terms and conditions in relevant market

Seeking approval from Competition Commission of India for notifiable combinations

The industry players need to move decisively to mitigate the risk of regulatory scrutiny and financial penalties. In our experience we think that the following actions need to be taken by all the industry players to effectively manage the risk of regulatory scrutiny:

Review all existing contracts to ensure that the terms and conditions of the contract are compliant with the Competition Act

If any anti-competitive terms and conditions are identified in the agreement, then the same needs to be strengthened and remediation process initiated by amending the relevant clauses in the contract, notifying the customer, dispute resolution process, etc.

Change and align certain business practices to the requirement of the competition law on timely basis

Create awareness amongst key management personnel and conduct training for all employees to ensure compliance with the competition regulation. The training programs should focus on the dos and donts as well as conduct expected form the employees.

Obtain an annual declaration and sign-off from all key management personnel in decision-making position of they having complied with the competition act

Create awareness about precautions that need to be taken by the key management personnel in market facing and commercial roles

Evaluate if the spirit of the Act can be used as a business strategy to bring to notice of CCI if there are any anti-competitive practices being used by competition in the market place

Read more about discussions in the Deloitte Round Table conference in our upcoming posts. If you wish to suggest topics for discussion in the next edition of the conference, please write to us at inforensic@deloitte.com or share your views on Twitter @deloitteindia.

By Nikhil Bedi (Senior Director) and Ankita Malik (Deputy Manager)

Knowing your NGO partner better through due diligence

Earlier this year the Government of India took an unprecedented step by canceling the licenses of close to 4470 NGOs for noncompliance with the Foreign Contribution (Regulation) Act , 2011 (FCRA). Violations stated by the government, included not filing annual returns for three consecutive years, not utilising the funds for the purposes intended and irregularities in maintaining statutory documentation relating to the foreign funds. The move reiterates the government’s intent to curb black money and illegal funding by understanding the source and end use of foreign funds, especially foreign contributions to NGOs and charities.

For foreign companies and entities donating money to NGOs and charities, the risk of violating FCRA norms can have a significant impact on their reputation and hamper the company’s corporate social responsibility activities. Post the government’s action, we are seeing a rise in companies and entities conducting a detailed due diligence on Indian NGOs prior to working with them in order to adhere to the guidelines prescribed by the FCRA statute.

Traditionally NGOS and charities in India have been registered as Trusts and Societies and have been governed by minimal legislation that does not mandate disclosure of several operational aspects. In our experience, several Indian NGOs do not maintain updated books of accounts or details pertaining to their trustees and members. In such a situation, conducting due diligence on NGOs can help to obtain information on the background and other business interests of the entity, as well as reveal potential conflicts of interest and suspicious activity.

An effective due diligence exercise can reveal the following information:

Registration and validity of FCRA registration of the concerned NGO/ charity

Reputation and track record of the NGO and its Trustees. For instance, under the FCRA, donations or grants are prohibited to political parties, politicians, media persons, judiciary, and government servants. If any such members are part of the NGO, a conflict of interest may arise.

Presence of mandatory documentation such as Form FC-6, annual returns, FCRA bank details, and donors

Nature of the NGO association (religious, cultural, economic, educational, social) and the purpose of foreign contributions received

Renewal status of FCRA application

Maintenance of Books of accounts exclusively for foreign contributions

The above mentioned information can be useful in determining potential violation of the FCRA provisions.

Do you undertake due diligence before onboarding your NGO partner? What kind of information has been most useful in determining the future of your business relationship? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

productivity and better control – at least for the most parts of it. However, what many companies are struggling with are the risks emanating from this rapid digitization of business. Cyber threats and attacks from the outside as well as the ‘enemies within’ companies are causing unimaginable losses to many businesses. I use the words ‘unimaginable losses’ as most companies are uncertain about all data that may have been lost and hence cannot even begin to quantify losses.

Data is the new money

A panelist at the Economic Times (ET) Fraud and Investigation Summit 2015 presented by Deloitte, made a comment that data is the new money. In the context of business today, he is not very far from the truth. Businesses have been built on information – whether these are technology companies, outsourcing companies or even manufacturing or consumer goods companies. Customer databases, business plans, market information, product design or launch information, blueprints etc. are all sensitive information and at times sources of competitive advantage for organizations that create or hold these. However, companies often are not even aware that some of this data is available on the internet or being sold illegally in the market.

Companies are also spending more on data security than ever before. Traditionally, companies in the outsourcing industries were the leaders in investing in information security. In more recent times most industries from banking to consumer goods, ecommerce portals to airlines are all spending millions on cyber security. Such measures definitely do reduce the risks of data breaches, however as our expert panel at the ET Fraud and Investigation Summit 2015 (presented by Deloitte) agreed, these are not fool proof. Internal or external breaches can still occur.

The information security systems implemented in organizations need to be complemented with regular awareness and trainings for employees or the organization and external parties who may have access to the company’s information resources. Another key deterrent that are underrated are social controls, which have been effectively used as a defense against internal data theft, social engineering and threats arising out of internal employee interventions.

What according to you are some of the best ways in tackling data theft? What impact can a cyber-attack have on an organization? What are some of the challenges in responding to technology related fraud risks? Share your views by contacting us at inforensic@deloitte.com or on Twitter at @deloitteindia. Reach out to us and let us know!

Understanding the implications of the Prevention of Sporting Fraud Bill, 2013

Match fixing is a global concern and has been described as the biggest threat to sport in the 21st Century. Match-fixing per se is not new to India, however, the increasing frequency, involvement of corporates and large amounts of money in match fixing in recent times have made it a national sporting menace. By introducing the Prevention of Sporting Fraud Bill, 2013, India is likely to become the first country to have a distinct legislation for sports fraud related to match fixing.

Some of the key offences under this Bill are-

· Manipulation of the sports result, irrespective of whether the outcome is actually altered

· Failure to perform to one’s full potential for economic or other advantage

· Disclosure of inside information which can be used for financial gain or betting or manipulation of the event

· Omission to inform the appropriate authority of any of the abovementioned acts.

As the Bill specifically indicates liability for organizations in light of the above mentioned offences, companies who sponsor or own sporting teams (not limited to just cricket) need to re-evaluate their fraud risk management program. In our view, organizations need to undertake more comprehensive measures (beyond rules made for monitor player behavior) such as[2]-

· Developing and adopting of a code of conduct for players as well as the management and other related staff to follow

· Demonstrating a zero tolerance policy to corruption in sport

· Introducing specific policies on match/ spot-fixing in player agreements. Introduce policies limiting access to players prior to the match

· Undertake integrity due diligence of the support staff and experts hired to work with players

While the Prevention of Sporting Fraud Bill, 2013, in its current form, may not address all ills that ail the sporting community, the introduction (and future passage) of this Bill, suggests the political will to address the menace of fraud in sports.

What measures do you think companies owing sporting teams or franchisees should adopt to become compliant with the Prevention of Sporting Fraud Bill, 2013? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

According to a global research report by the Ponemon Insititute, nearly 60 percent of employees leaving their organizations were found to be stealing their organization’s confidential data. Most theft of this kind goes unreported, but it is rampant, the report said.

The easy availability of large capacity portable storage devices, cloud-based storage solutions, smartphones and tablets has made it easier for exiting employees to store (and possibly steal) companies’ sensitive information.

However, organizations can safeguard themselves from such data theft by considering the following aspects:

Have a comprehensive record of the data held by the organization - Sensitive information tends to be dispersed among departments or business units. To prevent any data theft, it's important for companies to have a comprehensive record of the data they hold.

Understand the access provided to every employee on company data. This access should be revoked when an employee leaves the company.

Undertake exit checks on devices owned by exiting employees to understand whether confidential data has been copied t a USB device, uploaded to a personal cloud based account or deleted from the company’s IT network. Further analysis on the kind of data accessed by the employee can also help understand the employee’s future use of the data. For instance, a manager level resource storing the resumes of junior level resources on a USB drive can be construed as a possible indicator of his/her attempt to poach these employees in the future.

Establish a framework for Network Access governance in place. Large organizations often provide varying degrees of access to employees on the data residing in their systems. Only select employees have access to confidential information, others receive such access on a need basis.

Is your organization performing a thorough ‘Exit Check’ on employees leaving the organization? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

Designing a ‘swift response mechanism’ to tackle bribery in the Maritime and Logistics Industry

24 August 2015

While the risk of bribery and corruption is considered to be high within the Maritime and Logistics industry, companies should none the less, put in place initiatives that encourage transparency within their employees as well as external stakeholders and third parties.

Companies could partner with shipping agents and freight forwarders to tackle bribery and corruption at the port(s). This could be done by:

Promoting good corporate practices in order to tackle bribes, facilitation payments, and other forms of corruption by adopting anti-corruption policies and procedures in line with global industry wide compliance (with respect to anti bribery laws).

Regularly communicating progress on the implementation of the above policy, sharing best practices and creating awareness of industry challenges.

Collaborating with key stakeholders, including governments, authorities and international organizations, in markets where corruption is prevalent, to identify and mitigate the root causes of corruption in the maritime industry.

Ensuring that the company website and other published materials communicate the company’s zero-tolerance approach to corruption (as well facilitation payments). This could include statements from senior management demonstrating the company’s top-level commitment to an anti-bribery stance.

Communicating the company’s zero-tolerance of corruption to all employees, customers, suppliers and if necessary agents and other third parties and intermediaries.

Ensuring that anti-corruption clauses are included in all high-risk contracts with the logistics firm and any other agents.

Using a simple checklist to consider if further anti-corruption controls are needed.

Understanding where the risks within the processes lie so that a company can be aware of its exposure in order to deal with them on a proactive basis

Appointing third parties and vendors only after a thorough due diligence and performing vendor/ partner assessments and risk evaluation.

Establishing an effective and confidential whistleblowing mechanism to enable employees and other third parties to voice their concerns without the fear of retaliation.

What are the other methods that you feel can be deployed? Has any initiative helped your organization tremendously? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

The days of identifying information about suspects by leafing through archived files in public libraries and government departments has now evolved to a new platform –Social Media. In our experience, the amount of personally identifiable information available on social media platforms today can include name, address, location, gender, education details, professional qualifications, employment details, nature of work done at the office, indicators of social economic status such as vehicle, jewelry and home ownership, personal preferences in food, fashion and lifestyle choices, financial information such as credit card details, recent purchases made by the individual, and the nature of relationships with other people. Such information can be a treasure chest for fraud investigators to help identify possible suspects and associated parties based on the data shared by these individuals on social media.

While not all information on social media may be credible, a comprehensive social media analysis can help eliminate false positives and provide meaningful insights for investigators. Some of the below mentioned tips can be used to make social media analysis generate meaningful outcomes for investigators.

Ascertaining the genuineness of profiles on social media – Discovering fake profiles on social media is fairly common. However, spending too much time assessing a profile to eventually discover it is fake can delay the precious time investigators have to identify fraudsters. IN such situations, cross checking the profile across various social media platforms such as FaceBook, LinkedIn, Google+, Twitter etc can be useful. If the information varies significantly across all these platforms, the chances of the profile being fake can be high.

Identifying the modus operandi for fraud – In our experience, extending the social media search to close friend and relatives, can often help identify the modus operandi of fraud. Suspects can often transfer ill-gotten wealth (cash and goods received in turn for favors) to their relatives and friends to evade scrutiny from government and company officials.

Integrating social media with offline search – In developing markets such as India, social media adoption can be low amongst certain groups of people based on age (say above 40 years), location (say non-metro cities), and levels of mobile penetration (a significant proportion of Indians access social media via their mobile phones). In such cases, relying primarily on social media searches to gather information on suspects can be inconclusive. A leading practice is to supplement social media search with market intelligence and physical verification of details received (as much as possible).

Does your organization use social media search as part of internal investigations? What techniques do you use? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

Click here to access Deloitte’s Global Principles of Business Conduct.